In the world of banking, security has always been important and the recent breach at
Tesco Bank is a timely reminder.
With an increased appetite for regulation in the banking sector and in the realms of data protection it is becoming ever more important
for responsible companies to take action to tighten up their defences against the constant threat of data theft and fraud. Regulation
is becoming a powerful lever to encourage banks to have robust mechanisms in place to protect their customers. The EU's
General Data Protection Regulation (GDPR) raises the possibility of
heavy fines
if you fail to take steps.

Two growth areas in the world of banking are account aggregation and budgeting apps. They provide customers with the convenient ability
to view all of their accounts and payments in one place. Unsurprisingly, banks are reluctant to endorse these apps because they spread the login
credentials of their customers and increase the chance of data breaches. They also reduce the ability of the banks
to advertise complimentary products within their own apps and websites and if the aggregators are badly behaved they can noticeably increase
load on the bank's servers.

Aggregation apps often work by reverse engineering the API of the customer's bank and using the same credentials as the real customer to access the
API and retrieve the account details. They are normally set up to allow read-only access to an account, but the credentials are the same,
so any breach of customer data can expose their account to unauthorised access and theft.

What can banks do to protect themselves from this type of API Abuse? The customer
login details provide user authentication, so the bank can tell who is attempting to access the API and block unauthorised access, but in this case the app has
been given a valid login. So the important question here is not who is accessing the banking API, but what?

One method of simple app authentication is to use a key to
secure the connection to the API. Anything which has the key is identified as being a valid user. This mechanism
typically involves embedding the key in the genuine app. Unfortunately it is often far too easy to extract the key.

For financial apps and organisations who are security and reputation conscious it is important to use the most up to date and comprehensive solutions
to protect themselves and their customers. Approov provides a means for a bank to securely identify the mobile software trying to gain access to their API.
They can block traffic which has not come from their official banking app and thereby prevent aggregation apps from accessing any customer information,
even if they have the customer login details. Even if a bank is willing or regulation enforces that third parties can connect to the API, banks still
want to be able to monitor and control access. Approov enables this by using our proprietary technology to perform analysis of the app code itself, ensuring that
only authorised software can access the protected API.

By providing a mechanism to identify what is being used to retrieve information from the API, we give banks a whole new ability to identify unofficial sources
of traffic. This is a valuable tool in the fight against fraud. It also provides a potential opportunity to help secure APIs in the brave new world of
PSD2 where banks operating in the EU will be
required to open their APIs to third parties. There are still challenges in the realm of more traditional web scraping attacks, but with the rise of mobile first
and mobile only offerings, there must be a strong focus on protecting the mobile channel.

The financial sector has a regulatory responsibility to take customer security very seriously. By using Approov they have an opportunity to gain control of
third party access to their APIs. To us, it seems like a natural fit.